: 
3 ¢ 


Government 


= 
Office of the Bureau du 
Auditor General vérificateur général 
of Canada du Canada 


DISCUSSION PAPER NO. 45 


AUDIT RISK AND AUDIT RISK ANALYSIS 
IN VALUE-FOR-MONEY AUDITING 


by 


Rona Shaffran 


March 1985 


DISCUSSION PAPER SERIES 
DOCUMENTS DE DISCUSSION 


tached paper has been prepared to stimulate Le document ci-joint vise 4 stimuler la réflexion et 
it and discussion regarding our audit la discussion sur nos activités de vérification. Les 
ies. The views expressed are those of the opinions exprimées dans ce texte sont celles de 
* and therefore should not be construed as_ l'auteur et, par conséquent, ne lient pas le Bureau. 
of the Office. 

Vos commentaires seraient appréciés et vous étes 
‘omments would be appreciated and should be _ priés de les faire parvenir a l'auteur. 
2d to the attention of the author. 

Vous pouvez vous procurer des exemplaires 
onal copies of this paper, or other papers in supplémentaires de ce document ou des autres 
Jiscussion Paper Series", may be obtained écrits de la série des "Documents de discussion" en 
h the PROFESSIONAL PRACTICES GROUP. vous adressant a la DIRECTION DES METHODES 

PROFESSIONNELLES. 


DISCUSSION PAPER NO. 45 


AUDIT RISK AND AUDIT RISK ANALYSIS 
IN VALUE-FOR-MONEY AUDITING 


by 


Rona Shaffran 


March 1985 
F ie & “a oe : . 
¢ Gin 
Ks ais i 
a a 
J. o¥ % 
. ial 
ae bs 25 


Digitized by the Internet Archive 
in 2022 with funding from 
University of Toronto 


https://archive.org/details/31/61115497182 


INTRODUCTION 


The available literature on audit risk generally addresses the 
subject from the attest perspective. Audit risk in the context of 


value-for-money auditing has received limited treatment. 


This paper draws on the attest literature to define overall 
audit risk in terms of the value-for-money areas of economy, efficiency 
and effectiveness. The effects of overall audit risk, both for the 
audit entity and for our Office, are discussed. The paper concludes by 


exploring approaches to analyse and minimize overall audit risk. 


The Professional Practices group requested this work for 
consideration in revising the Comprehensive Auditing Manual. The 
paper was prepared based on a review of the literature on audit risk and 
an examination of our current Comprehensive Auditing Manual and Audit 
Guides. Drafts of the paper were discussed with a number of Assistant 
Auditors General, Principals, Directors and Auditors in our Office. 


Their time and contributions are gratefully acknowledged. 


PURPOSE 


Two recent Office initiatives highlight the importance of 


addressing audit risk. The Report on the Review of the Evolution of 


Comprehensive Auditing, May 1983, notes substantial variation in the 


current process of selecting areas for audit. It recommends improved 


guidance for determining and selecting key areas for audit and the 


153 HT ial WS 


ar’ sm | | 
era Seti tthe; 06 scent wt a we year 
fibud See foun qacezeed ev inne gaetign twe 
tostebest To Sedan oily ) ) atew veqeq ens * 
avian tue ark icesttgn fhe wwbaaaita Snel 
oe yl Laacese: ho oneal 


; - 
~~. . 


1 snaeriodml att sigan aaa $ah236 tir 
iyo smite to ela ala «AF stil 
@hT a natin tray, Lasoo eoton ,C00L YAM ,oul. 
avast» abuneaernse a ,Sihud GOR Gaeta gaisteeiac © 

tte bog 7 Cu eat note (edipattneion bas puinie 


’ 


factors (materiality, risk, etc.) to be considered in selecting then. 
With regard to our current situation, the Report states that: 
Existing guidelines (including those relating 
to materiality and risk) for selecting key 
areas for audit (lines of enquiry and matters 


of potential significance) are seen to be 
insufficient. 1 


The Updated Draft Report on the Audit Philosophy Project, 25 
May 1984, outlines that departmental audit teams should do sufficient 
Section 7 work each year to recognize areas of significant risk and 
should develop an appropriate audit and reporting strategy related to 
all such areas. Moreover, the Report emphasizes that such comprehensive 
risk analysis of programs and departments would cover all areas of our 
mandate - attest, authority, value-for-money and other matters. It 
recommends that: 

What is 'significant' and what defines 

a 'risk' has to be addressed and 


clarified to develop audit guidelines for 
both planning and reporting. 2 


DEFINITION 


This paper defines overall audit risk in general value-for- 
money terms of economy, efficiency and effectiveness. Overall audit 
risk, however, may vary relative to the audit mandate being applied. 
Thus, overall audit risk in the context of audits carried out under the 
Auditor General Act may have different ramifications than audit risk in 
the context of the Special Examination. The definition outlined here 


can be adapted to the particular audit mandate at issue. 


by an ane i 
pee aie a a | 


suo. 30 @4S28 pie 
3 acd Pan 


-eeteautar Conon ed. marke dbhue thaseve wentteb sou) 
tttue Lhereeve anitevizowtte baw yaniebeitte: yyoor: 
bat loge cited: aonb: geile whe nd avbapion Yxev \" 
on? Nene: eS tokwnen cate eens Ma ade gli 


) seit sibwh eile a snanionn evar yak 2+ 
sotsin waldenieex® Tetooys + 


a os satin ata 9 


In value-for-money terms, overall audit risk is the 
possibility that significant deficiencies exist in the audit entity or 
the area audited and the auditor unknowingly fails to detect these 
@eficiencies. Overall audit risk is a combination of two separate 
elements - client risk and audit risk. Client risk exists independent 
of the audit. It is the possibility that significant deficiencies exist 
in the audit entity or the area audited. Audit risk is the possibility 
that audit procedures will not detect the significant deficiencies 


existing in the audit entity. 


Client risk results from risks inherent in the nature of the 
entity's operations - inherent risk - and risks arising from weaknesses 
in the entity's internal control systems - control risks. Inherent risk 
is the possibility that significant deficiencies will arise by virtue of 
the program, its relationships with other parties, or the environment in 
which it operates. In other words, inherent risk is the possibility 
that significant deficiencies will arise because of the susceptibility 
of the audit entity or the environmental conditions in which it operates 
to such deficiency. Some entities, therefore, have greater inherent 
risk, by definition, than do others. For example, all other 
considerations being equal, an entity with extensive interdepartmental 
operations or one with many decentralized activities can be expected to 
be at greater risk of significant deficiency than an entity that is 


only intradepartmental in nature. 


ot? to erutam edt) mi panes hme sti: 


fais dneuddl sakels sowtea i . 
(Oo sudoiv ya eelve Lily seieasioliee gepplsingl« dedz \*- 
a! Sosmozives stv) de prmpnibne eT 6 
strat a 
~Stlidieasq eff af teks seosedak setae seato ne: 
ey trig: i sannniie edih Sn wemnied-aukus SEhe Sth : 
rasitege tf Motes ah paneshhoge. emeenredie, ous SO Y9it0- 
soezecitl <etaetR ave sdahameed a oe 


ininessyaqetracm, 


Control risk is the possibility that significant deficiencies 
will occur by virtue of weaknesses in relevant controls. In other 
words, control risk is the possibility that significant deficiencies 
will not be prevented or detected on a timely basis or at all by the 


entity's system of internal controls. 


The second element of overall audit risk - audit risk - 
pertains to the effectiveness of audit methodology, audit procedures and 
their application by the audit team. Audit risk can result from 
sampling risk and non-sampling or other risks. Sampling risk is the 
possibility that the sample examined is not representative of the total 
population. > Other risks or non-sampling risks include: the 
possibility of the auditor not detecting a deficiency within the sample; 
failing to design a procedure capable of disclosing the deficiency or 
failing to consider relevant evidence; using and relying on data of 
uncertain quality; using faulty assumptions; and, arriving at illogical 


“ 4 
conclusions. 


Overall audit risk might also cover the possibility that the 
audit will conclude that a significant deficiency exists when this is 
not the case. Such a risk, however, would appear to be low for at least 
two reasons. First, it is in the audit entity's self-interest to bring 
inaccuracies of that type to our attention prior to reporting. Second, 
the likelihood of the error surviving to the final report is remote 
given audit testing in the examination phase, internal reviews and 
internal challenges. Paul Munter, writing in the CPA Journal, argues 


that risk of this type is concerned with the efficiency of the 


(h° 


jae >this + Meee +t teem 8) 
ee ee 
ao.) Stgwee can gals Pia 280? sibbe 
a's padiqeen .e@nis wed tf nk ignee-nee be: 
ic evidegheaesgay Sep si Genlenxe otqnes"ens 70 
2 «-ehilend weet= gotiqeeenon 50 eferr 5°" 
ns abighe yanebaljet @ @eldeereh Joa wesiowe an: i: 
moishae t7 gn] Gereeid to @iaegen errheog & 4: 
rh ao Satie ana Paras (@caed tre Saniel es gad: 
ts ivivis. bas  ceaeaoqenete Gripes aims 14. '- 


- 


<ake oot!) diddog ead tensa vere Siplel Mela vitee 1. 
sift egy exakite yortelink west tiage # #063 ef. 
1 wet at 62 eqQuelttete gE Glebe s Boo 
ove} Hh ~S 106 ee. seer" 


examination (i.e., how quickly the proper audit conclusion is reached) 
and is not audit risk as defined by the Statement on Auditing Standards 


No. 47.° For the reasons outlined above, the paper will not address this 


form of overall audit risk. 


EFFECTS OF OVERALL AUDIT RISK 


Where an audit concludes that value-for-money has been 
achieved or that no significant deficiencies have been observed when, in 
fact, such deficiencies exist, the effects are far-reaching, both for 


the audit entity and for our Office. 


For the audit entity, if significant deficiencies go 
undetected they will in all likelihood persist. This situation can 
result in continued diseconomies, inefficiencies or ineffectiveness. 
The entity's assets will be at risk as a result. Possible effects may 


range from loss of revenue to loss of public confidence. 


For our Office, overall audit risk has serious effects in 
terms of our mandate. We provide false comfort and false assurances to 
Parliament, which relies on our audit conclusions, if we unknowingly 
fail to detect significant deficiencies and report that value for money 
has been achieved or that no significant deficiencies are present. We 
fail to fulfil our role and mandate as a result. Moreover, our 
credibility and stature will be severely undermined if the entity 
realizes our error or if the significant deficiency is detected and 


reported by some other body. 


APPROACHES FOR ANALYSING AND MINIMIZING OVERALL AUDIT RISK 


Overall audit risk can occur if auditors select matters for 
examination that do not contain the significant deficiencies present or, 
if, in relation to any specific matter selected, the audit fails to 
detect the significant deficiencies that exist. This section outlines 


procedures for minimizing overall audit risk. 


To minimize overall audit risk, analysis of risk should play a 
key role in selecting areas for audit and in designing an audit 
strategy during the planning phase. To select areas for audit based on 
risk, it is necessary to determine the extent of client risk present in 
the entity - that is, to identify areas containing or likely to contain 


significant deficiencies. 


The Sune of client risk present in the entity is essential 
in determining the audit strategy and the level of audit intensity 
required to conduct the examination. Thus, to minimize overall audit 
risk, it is also necessary to reduce audit risk by applying appropriate 


audit procedures capable of detecting significant deficiencies. 


> 


a 
_ 
Fv 
a 7 go: ore 
Paty ‘Kiser 
a = » nar 
ye! deceit ee ‘heii $as> nat 
:  ¢ : am 6 & a? os 
« chad ~ _ 7 i 
. Reeeen Parsciiiey = © 


a cooksbee wn < ‘ ore naa 
a ie SoBe Mpnttiains 


» 
7 


7 - 


« year bigwhe ess bo fingindia aeee hte Pisces ecie'-.. 
‘thus or gigs ae at tnd dios sO% sowse eeeres | 
eo Sauna 2tGge: FOU aah scape ot wendy printely es 
<p soheey thes gnebeo io amigea) ei? eolawerad oF yree- 
fliesten op Sense 1% pRAnbesnoy aeeRA YRLSueht 07 sel ce 
© jeeizee!:. 


a 
, 


lage eee el GHUAa edt Re demeneg MRMe cmelie Be oo8” 
ctinnecr > sites, oe jevel wit one ‘quezette Situs * °° 


+*hun Lisse> priahele oe yaad? relten tame Cs ee 


ntelseseyee Geryndde Ut dak tikes ebeken 6 qzaeee + 


oninaedeiep eneapeeapte GRSoaTad Be ite: 
ae 


7 


Analysing Client Risk 


To select areas for audit based on risk, the first step is the 
recognition by the audit team that a given condition represents a 


significant deficiency or carries the risk of significant deficiency. 


The possibility that a significant deficiency exists or is 
likely to exist will vary with the presence or absence of certain 
conditions in the audit entity. For purposes of this paper, these 


conditions are called client risk indicators. 


The following charts of client risk indicators are organized 
by inherent and control risk. These charts are a generic and 
preliminary listing of conditions in an audit entity that represent a 
significant deficiency or carry the risk of significant deficiency. For 
each audit, it will be necessary to identify client risk indicators 
peculiar to the entity. The charts can be used by the auditor during 
the planning stage as one means of ensuring that significant 
deficiencies present are recognized as such. It has been observed that, 
used in isolation, such a checklist approach will give rise to a false 
sense of security. Charts of this type, however, are intended to be 
used as an aid to the auditor in combination with other procedures, 


judgement, experience and practical concerns. 


During the audit planning phase, the auditor should collect 
information on the extent to which client risk indicators are 
present. The auditor should begin by assessing inherent risk. For each 
indicator, the auditor should determine if it is present and, if so, the 
extent to which it exists - high, medium or low occurrence. The auditor 
may also need to weight the indicator in relation to its importance in 
the context of the entity. For each indicator present, the auditor 
should consider whether it has resulted in any significant effects in 
the past or whether it is likely to result in any such effects in the 
future. Effects might include loss of revenue, lowered public 
confidence, etc. The auditor should also examine the combined effects 
of all the inherent risk indicators present. It may be that the 
particular environment of the entity or a management style that is 
especially aware of the program's constituency could cancel out the 


otherwise negative effect of an indicator. 


The charts provide a preliminary list of inherent risk 
indicators. The types of value-for-money deficiencies - economy, 
efficiency or effectiveness - relevant to the indicator are also noted. 
The indicators are organized by: environment; mandate; resources; 


operations; management style; staff; and audit experience. 


sdoette Bentdacd ea¥ canon 
en2 oe du 


Soca oe | 


Type of Significant Deficiency 


Econ Effic Effect 
Inherent Risk Indicators 
Environment 
1. International or domestic political, X X X 


social, environmental or economic 
issues that could have adverse effects 


on operations. 


2. Pressure on management (from press, X X X 
Parliament, central agencies, etc.) to 


present results in a particular light. 
Increased performance pressure may 
increase pressure to circumvent 
controls, thereby increasing the 
probability of significant diseconomies 
inefficiencies, or ineffectiveness. 


3. High rate of consumer complaints - X X 
consumer complaints can indicate the 


presence of inefficiencies or the lack 
of effectiveness. 


4. Demands from aggressive constituent xX a xX 
lobby groups - this can increase the 

probability of diseconomies, 

inefficiencies or ineffectiveness. 


Mandate 
5. New legislation or regulatory X A 


provision recently applied - a new 
approach or procedure can result in 


the increased probability of 
significant inefficiencies during the 
"break-in" period. 


6. Unclear legislative mandate - lack X x 
of clarity can result in significant 


deficiency in the area of effectiveness 
and efficiency. 


Resources 
7. Nature of expenditures - certain X xX = 


types of expenditures are more at 
risk of deficiency than others. e.g., 
a granting program is more risky than 
a program making small, regular 
payments, like Old Age Pensions. 


: . nah = gatas kt 
+3 Siueet ~ 
_ eiegiare a) 
% & glegées ~ Beaudibcs.— 
a 2 ee 


it ,eeente Gass ~~ i 
» 


10 


Type of Significant Deficiency 
Econ Effic Effect 


8. Large operation in person-years Xx X 
and cost of resources used - the 


larger the operation, the higher the 
probability of significant 
diseconomies or inefficiencies. 


9. Rapid expansion of operation or rapid x 4 


internal rate of growth - this 
stretches personnel such that 


deficiencies can arise. The more 
rapid the growth, the higher the 
probability of a decrease in quality 
and a subsequent drop in 
effectiveness. 


10. Inadequate number of resources - x m6 
this can result in inefficiency or 
ineffectiveness. 


ll. Large blocks or surges of xX 
expenditure (capital assets, 

manpower, consulting, or steady large 
acquisitions) - by its nature, this 

type of operation increases the 
probability of diseconomies. 


12. Operation includes human and X 
material resources that, either 
individually or together with their 
related operation and maintenance 

costs, represent a significant 


portion of present or expected 
future budgets - by its nature, this 


type of operation increases the 
probability of economy-related 
deficiencies. 


13. Disproportionate growth in X 
resources used, in comparison with 


qrowth in workload - to the extent 
that this is evident, inefficiencies 


may be present. 


14. Idle personnel - this can indicate = xX 
presence of inefficiencies or 
diseconomies. 


; £  aaimtsie ab ae eo 


ea ae 
> 


aa 


Type of Significant Deficienc 
Econ Effic Effect 

15. Underused equipment - this can xX 

indicate the presence of diseconomies 

and inefficiencies. 

16. Vacant or poorly used building X X 

space - this can indicate the presence 

of inefficiencies or diseconomies. 

17. A_lot of EDP systems and x x 

equipment - this can indicate that 

diseconomies or inefficiencies are 

present. 

18. Program cuts/restraint - this can X X 

increase the probability of 

inefficiencies and ineffectiveness. 

Alternatively, it can have the reverse 

effect. 

Operations 

19. Operating complexity - as X x 


operating complexity increases - 

e.g. interdepartmental or decentralized 
operations - the probability of significant 
duplication and counter-productivity 


increases. 

20. Newly installed operational X xX 
approach/system - see #5. 

21. Routine and repetitive operations - xX 


this type of operation can be expected 
to increase the probability of 


inefficiencies. 

22. Labour-intensive operations - xX 
see #21. 

23. Operations heavily oriented to X 
manual work - see #21. 

24. Operations in which delays or x 


errors are important delivery 


concerns - see #21. 


25. Excessive work backlog - backlog X 


may indicate the presence of 
inefficiencies. 


bojoegxe ed, 69 
~ Se ee 


~ pMoliazege. eyin0: 


oe pedeelsh vilves: « 


rs 


Ist as - 


ne son ¢> 
gadoig* 
lp 4 é 


> 


12 


Type of Significant Deficiency 
Econ Effic Effect 


26. Intangible, unmeasurable outputs - dS 
these can increase the probability of 
inefficiencies. 


27. Unmeasurable or inappropriate X 
objectives - these can increase the 
probability of ineffectiveness. 


28. Recently merged operations - X x 
this increases the probability of 


inefficiencies and ineffectiveness 
during the "break-in" period. 


Management Style 


29. Lack.of "good faith" in X x X 
management - this conveys a lack 

of concern for value for money and 

can increase the possibility of 

Significant deficiencies of all 

types. 


30. Lack of understanding of the x x x 


program and its constituency by 
management - to the extent that 


this exists, the possibility of 
significant deficiencies increase. 


Statt 


31. Poor fit of skills to tasks =- the X X x 
presence of over-qualified staff or 

inappropriate skills relative to the 

task can indicate the presence of 

diseconomies or inefficiencies and 

can increase the possibility of 

ineffectiveness. 


32. Absence of staff training - the X x xX 


absence of training opportunities 

in situations where skills are 
important can increase the possibility 
of significant deficiencies of all 
types. 


43 


Type of Significant Deficiency 
Econ Effic Effect 


33. Unusually high turnover of staff - X X Xx 
lack of continuity in key staff can 


signal that diseconomies or 
inefficiencies are present. This 
situation can also lead to 
ineffectiveness. 


Audit Experience 


34. Long period of time since last x x x 
internal or external audit - because 


an audit may deter deficiencies, its 
effect may be greatest just before or 
just after an audit. As time passes, 
the risk of significant deficiencies in 
all areas increases. 


35. Previous audit findings - if X X X 
positive findings were reported 


previously, this could lead to 
laxness and thereby increase the 
possibility of significant 
deficiencies. On the other hand, 
previous negative findings can also 
increase the possibility of 
significant deficiency. 


- can 
seat?’ 
a 


Vigk i .. 


wcokpmatolsel Bse0r 


14 


Analysis of Control Risks 


After assessing inherent risks, the auditor should turn to 
assessing control risks. The preliminary evaluation of control risks 
during the audit planning phase will provide information on the extent 
to which internal controls can be relied on to prevent or detect 
significant deficiencies. To a large extent, the assessment of control 
risk depends on evaluating the adequacy of the system of controls in 


effect and the entity's compliance with then. ’ 


Arthur Andersen's Guide for Studying and Evaluating Internal 


Controls in the Federal Government outlines a detailed approach for 
internal control evaluation that provides a useful model for control 


. 8 
risk assessment. 


Andersen defines internal controls as the "methods by which an 


- : : 9 
organization governs its activities to accomplish its defined purpose." 


The general objective of an internal management control system is: 


... to provide positive assistance in carrying 

out all duties and responsibilities as effectively, 
efficiently, and economically as possible, considering 
the requirements and restrictions of all applicable 
laws and regulations. 


et meron btgcate! dentine ent . “ 


, ert rastees Is: * 


oe a 


i, 
s—etee 1S 8 eee = 


cotmes to waoetengum f= see * a mae 


Lanseont. nie ins ¥ 


: 7 ve 


fnetek to seep a2 Go & a. 


ani elostneS 1. metnte ont ts ¥ ‘ , bh . 


"ck ate 


cot teeomgqs bodiage®. & sm ens Lage! 
es: 
fesuna> 10? leben iam 6 ns Pee 


a P dine de 4 


Aan 


amc 
dolve qa bonus) aap ed atoateee Daa ACe, 


seoqtay hon !*ab ati catigaoous se aptsivites wed pase 


banat: 
sat oetoye, coRInem spoceyeante 4 


7 —_—_ U = 
nese: youqd ©7 
I we ; | ah ile 2: 
via oolalk | teas 


piiveckespen + eel <7 
sivsotiage fis 38 ony none eal 


Lo 


The more specific objectives of a satisfactory control system 


c are: 


(1) Promote efficiency and economy of operations. 
(2) Restrict obligations and costs, consistent with 
efficiently and effectively carrying out the 
purposes for which the agency exists, within 
the limits of congressional appropriations and 

other authorizations and restrictions. 


(3) Safeguard assets against waste, loss, or improper 
or unwarranted use. 


(4) Insure that all revenues applicable to agency 
assets or operations are collected or properly 
accounted for. 


(5) Assure the accuracy and reliability of 
financial, statistical, and other reports. 


The entity's system of internal controls is designed to 
provide reasonable but not absolute assurance that the organization's 
activities are being carried out in accordance with its objectives. 
Factors such as cost/benefit limit the capacity of internal controls to 


provide absolute assurance. 


Andersen's Guide outlines approaches for identifying relevant 


internal controls, evaluating the adequacy of the controls using control 
objectives and identifying risks or effects resulting from ineffective 
or absent controls. The approach is flexible and is intended to be 
tailored and adapted to the unique requirements of the entity being 


audited. 


| _ 
daphne atysisne » 

nda son Jud bSdianc: 
ad ou helstx5>: grited vw 


a) Dpnpteet al ‘@lozzace 
sizasinegeo wet rag 


atv Se stifo mag paneer 


oo elozaen eqeeerad Re: cdisages shah drtanedyeecs «> © 
7 ,eonssueta es 


a! 


sods! e= an ie? }pamul on sortoaernaiis sanktior BBhe einees* 
fernine: suse eimiinas Sal Te 9. goitipab! with qantas opie. | 


ayisaeraanh sot gaitsuord alee «0 etele galytisnat! Bat 
ceed luat Bape spajeet? ab seemiqye ec? seleran” 


et? te etoadeciape: Saptes 06 Od betqe>s . 


a3 aa ke 
yeled rises 


16 


The control risk indicators below are generic controls that 
can reasonably be expected to be in place in an entity to prevent the 
occurrence of significant deficiencies. The lists should be viewed by 
the auditor as a starting point for developing controls that are 
relevant to the particular entity being examined. The auditor should 
identify relevant controls and control techniques by considering the 
inherent risks present and the methods needed to control these, and the 
key systems and operations of the entity. The auditor should document 


the impact and combined effect of absent or deficient controls. 

The generic controls below are grouped according to broad 
activity areas or cycles: policy and planning; budgeting; programming; 
personnel; procurement; asset and liability management; and reporting. 
Control Risk Indicators 
Policy and Planning - The tasks performed as part of policy and planning 
that are key to evaluating internal controls involve defining and 
communicating: 

= the objectives of the agency; 
. long and short-range plans for the agency; 


= the framework for reporting to management; 


= responsibilities for safeguarding the agency's assets; 


aft pea tebdegat 
io® toe , eoade onan 


weenie Sipe s 
sivssaoe 


seord Gd Gace tee 

j AD Bt 

wy een idioma red Freie ay jase 
wengswoge: bat ‘nates il a hau tinewe2! 


7 | 
en oe nism 
we acee l= Gp pbs joy = OS asned eae * os 

scr qatetaad eviownt ateasng aammarel qnaveuteve c° 


1? 
ae 
cyorepe ant to aeviscoat+: 
‘ . 
Vygorenpe sue =oeenelg eyear-riote Or 
7 ann ew 


\etogae a ysaraps ens athreupetee 26% eubstiicia:.- 


: i . 
a -» 


L7 


responsibilities for safeguarding critical asset control 
forms, critical records, transaction processing areas and 


transaction processing procedures; 


plans for the replacement or restoration of lost, damaged or 


altered assets, books or records; 


authority to determine the nature, extent and timing of 


events; 
authority to initiate transactions; 


authority and procedures for recognizing, processing and 


reporting the effect of each type of event; 


authority and procedures for determining and modifying 


transaction processing procedures; 


a plan for classifying activities in accordance with the 


established plan; 


responsibilities for procedures for the periodic 


substantiation and evaluation of reported activity, and of 


12 
compliance with processing procedures. 


oe 7 
sa gotial®? pnw tows oranan elt 
: 
= mo 
vniaveamemsassitels oi olla 


-, 
ilabebe! gaie> 
pascaay .yelalngese> = 


saneo omens 


nprdes: 
yniy ti bon! oes oiinkwsatal sin wisest to 
eertaneatrag Gatemneray 20122 


18 


Budget - The budgeting cycle begins with developing a budget, includes 
the review and approval process, and ends with monitoring the budget 


versus actual reports and planning for the next budget. 
Key functions to evaluate for assessing control risk include: 
- planning and scheduling the budget process; 
- developing budget forms; 
- training in budget procedures; 
= distributing instructions and forms; 


= co-ordinating operating and financial personnel in budget 


preparation; 
i consolidating and summarizing budget data; 


= submitting and controlling the budget through the approval 


process; 


= controlling budget changes; 


7 communicating budget changes to the organization; 


19 


providing the final budget to finance personnel for use in 


budget versus actual reporting; 
~ reviewing budget versus actual reports; 
- investigating variations; 


- using budget versus actual reports in planning for the next 


budget. 7° 


Program - Each program cycle includes the functions that accomplish each 
of the department's program objectives. For example, in the case of Old 
Age Pensions, this includes distributing pension payments to senior 

S1ti zens. Thus, the relevant tasks for evaluating program-related 
internal controls must be determined for the particular program 
examined. Typical program functions related to internal controls 


include: 


= program planning in accordance with law, regulation and the 


budget; 


= acquiring of personnel and resources to accomplish the 


program; 


- developing standards for program execution such as recipient 


eligibility based on law, regulation and policy; 


a. fewde 7 | a 
xen aes 30% pribaig st 25 7 ‘ 7 ‘paiev 


ses taiicneove go analgume! i a 


efo to aac anda pinay sevtzraido aneport ‘snem>:+ 
stipe a shane aaa aon aKa yen 


necsiar-sameery puitenewne ee ieee Seeraten att eur” 


sstgong slenksam ets ro? baalsredas of $ave ploxsa 
dione cecmeral of wezaten aaphionnt miempoee, Lote," 


i. ane 
Los bos cobzeiogee wer adiv esqabedae a) Ratanetg emtyo™. 
Se tae. 


of? ssi qaouos a9 eqcryones Bee fennowseg to grisicc.. 
(mEsFo x: 


statgtaee tm cue motives aongeiiy sm ebvabnsse paiqoiey:- 
“ekieg ® one antralogel whe Genet Yriiiciy: i+ 


20 


managing people and resources to accomplish objectives - 


a7a.) 


-- process applications 

-- establish and enforce regulations 
-- enforce laws 

oe provide income security 

-- audit recipients 


-- handle complaints 
monitoring of accomplishments of program objectives; 
redirecting resources to better meet objectives; 


planning for and acquiring additional resources as part of 


14 
the budget process. 


Administration - Andersen outlines six common administrative cycles: 


personnel 

procurement 

disbursements 

— payroll 

ie other 

receipts 

asset and liability management 


its: 
administrative support 


neohome aged 35 adres hemecse on 
a 
ae 


seenesetts sean tected of eorviousr galiosti t= 


me’ 6 


isithe aneeee Siar en 
a) sesnong Segaud 
i 


. estretgeleieie tequep ale eenlizee mewseea’ — 185 
® @§ ‘6 


Jaancet 


'o Fou 65 ReOTHONesS lait 


2 


21 


The cycles most pertinent to a value-for-money examination are 
personnel, procurement and asset and liability management. Typical 


tasks related to internal controls for these areas are listed below. 


Personnel - This cycle begins with hiring personnel and ends with 


terminating employment or retirement. Typical control-related functions 


include: 


- recruiting 

= testing 

- employee selection 
- hiring 

- assignment 

- training 

= evaluation 

- promotion 

= termination 

= retirement 

= maintenance of personnel records 


: : 16 
7 wage and salary administration 


taclay? 


a2 


Procurement - This cycle includes functions that: 
9 
- draft bid requests; 
- advertise; 
- evaluate bids; 
- acquire property, goods and services through purchase 
orders and contracts; 


; : ‘ LH 
= classify, summarize and report what was acquired. 


Asset _ and Liability Management - This cycle includes the following 


functions, some of which will likely be examined as part of the attest 


review: 
> physical control of cash; 
, = physical control of property and inventory; 
= maintenance of receivable, payable, and other asset and 
liability records; 
- control of classified and confidential information and 


records; 


18 
= control of trust funds and related records. 


Reporting - This cycle includes information from other cycles and 
analyses, evaluates, summarizes, reconciles, adjusts and classifies the 
information so it can be reported internally and externally. The end 
Products include operational, financial and other types of reports. > 
The use of these reports by management to improve the quality of 


operations is also a key function of reporting-related controls. 


nijeut apegn abet ~ snamepanetish Luss bi 
soaee vel UIRRLE Dike fipl@e 0 se=° ) 


ncicolial; sio°> 


S200 


aa 40 +204 as Se 
ae 


jidaae 20 serine” fepieys) 


syrosrevat bas Vrregeas te fesinon fovla\.-i 
silts bime ,eldauell _sidevlases 30 ‘ennacetcl ex 
yetcoosd yoiide:' 


> kaeseenenas Gee Gulatasato.3o fos"°° 
9s67Co4 1 


— 3I@=S69 


no] *<e=7oln 


| spaimers Retegers ee ae tease Te Fes2" 
ones? 
west ,easansers 


<astie sort 


‘ae Satay 


aei¢tioanic ris é2ecthe « 


cow off ._iiadsetse Bhs ed neo =f oe 
4 . ats 
.wzwatsae: I> eeey Tess > eho: 
te yliasp oe 4 hb ce eent: 
i # | aeoais 3! 


os 


‘9 


Selecting Areas to Audit and Audit Strategy 


At the conclusion of the audit planning phase, the auditor 
should have sufficient information to document areas in the entity that 
appear to contain or are likely to contain significant deficiencies. 
This information can then be weighed in combination with other 


considerations, such as materiality, to select areas for audit and to 


plan the audit strategy. 


The extent to which inherent and control risks are present in 
the audit entity has a direct effect on the nature, extent and timing of 
audit procedures. If inherent and control risks are both high, a low 

0 degree of reliance should be placed on internal controls. Consequently, 
little or no compliance testing may be necessary because compliance with 
poor controls would provide little comfort. In such a case, there is 
the need for an increase in audit resources and audit intensity. 


Substantive audit testing and stringent evidence would be required. 


Alternatively, if inherent and control risks are both low, a 
high degree of reliance should be placed on internal controls. In this 
Case, extensive compliance testing would be indicated. If the 
compliance testing confirms original conclusions about internal 


20 
controls, extensive substantive testing would not be necessary. 


i) 

so2ilee at seed ov innate. tame 
ett otitns ecty ab. Sage ee 
pstomicltah taetagia atenes 
eatite trhe cbdimanidesa nt wean metsarcio: 

dg ee tote 360 sieee 260ree ait pesakaeieway eam Verel2e~ 
<qvateste Sihce « 


ni uns Tg am Mite seine ae Legumir? aabdielod’daetes aisT 
q unital > te dred ppcoen off ap tana geasit @ Gad yslire -- 
vol + wpa cred own eaets Terme ie Sereda 32 «eerebenc: 
sLinevpeencd » Sioeiies erzedat né Seoplq ed Sincds ecealioas °: 
ofp aupel tones. etnetied (amaetes ad yan palseed eorbiiqaos er ~ 
st oust? see ge. ot rote alate) ebivexay St ve% eio<-:. 
tieneoet 22686 Oe — aitbus at @ase modi i 367 | 


besbeges & bluse conw> cw ieepalsal Baa patsaes Sites av: 


» wo, eed ote beds. textars bee gnaveaal Th yyleviserses!* 
até? sl 0. ab-wiess Lepetsl vioaty ed Mivote sonsifes Yo °° 
“2 2x .eecep tio’ ow bivow gihtea? eonskiqeco wviens: 

fortens! teote ee ., ¥ 


i anecdeed 20 Sen amateial 


24 


Minimizing Audit Risk 


One part of overall audit risk is, as stated previously, 
client risk. The second element of overall audit risk is audit risk. 
It can be minimized by employing audit procedures that are appropriate 
and of sufficient quality, given the level of client risk present. 
Audit risk is best controlled through effective audit methodology and 


procedures and their appropriate application by skilled auditors. 


As defined earlier, audit risk can result from sampling risk 
or other, non-sampling related risks. Sampling risk relates to 
sufficiency of audit testing. As long as only a portion of the total 
population is examined, there will always be a risk that the sample is 

not representative of the total population. The extent of sampling risk 
6 can be quantified’ and thus controlled when statistical sampling 
techniques are used. Given the desired precision level, the auditor can 
adjust the audit sample size to achieve a desired reliability level. 
For judgemental, randomly selected samples, there are no objective 
means for determining sample risk. Consequently, from a risk control 
viewpoint, it is preferable to use statistical sampling techniques for 


ZA 
the selection of audit samples. 


Non-sampling risk can best be controlled through quality 
audit management, supervision and review; audit training resources; 
Quality audit methodology and procedures; co-ordination between audit 
team members; availability of auditors appropriate for the requirements 


' of the examination; and adequate time resources. 


: 7 : 
= 
— 
a? 
: = -_ 


aes 4 et WAC 
me me Arner actu att ety 
ode ogee eve 2eae | a petyorens vs pes laine of 
Seong sate. danede, te-coeleee weets) .@2ideay 2celois*Ge 

ne gm ietser 6Liup. evispelie. Peetidhs Leliestiop cen’ © mie 
.wrotiine tallise qv anbreotige Sr ‘leo? ‘wa 


qaie Qnilgnee «th3 ¢.4ee0: Gee Min giger. retira® & Kgzah a6 
at enter thn Geliqes’  pedein tersie® HU eee 

Leget ed? So epleuny 6 'Ghes OF pRol GA, «pRtvee? “owe > * ao imat 

of eiqnee Oda 608? falDe ed eyotia J (fw eh’ peal errs. 4) 
dintipesionee Tagnetee et? @ubtaihaee dams 649 “oe syere Neem 
gniiquas. jaghea dete Gade Dakiecsens ew = be) *S wy “a ' 

sav cosdGwe ot! . Level eulaineng Marlen eo! re AS ap «we o@ge 
evel (i itaviien ealees @preltes oo ect eiyeee Gin on tent 


<a 


_ 


evidecio> 06 220 Gets ,825Qme padadiar Yoscmr. 6 er~as 
texsoce Mala @ cot? .vioompeseO vets Sige’ Pia set WR oan 
703 seupindnet pnriiquay enarennsase ons Ge afdoneé)) «' *) .aoleqe 
te adden 7690 >» % maken n 


ye tianp teerrey Pellaxsage ml teem au wale pal wre a 
. tuectenen punters. ries (watves bos faleieteq.r . Prony ens | 
Sinus rwiemed cobtedkbse-to. (eeresenetg fp qoleboscer situe 


pi 


CONCLUSION 


This paper defines overall audit risk in terms of the value- 
for-money areas of economy, efficiency and effectiveness. Overall audit 
risk affects the audit entity by allowing diseconomies, inefficiencies 
and ineffectiveness to persist. Overall audit risk also has serious 
effects for our Office in terms of providing false comfort to 
Parliament, which relies on our audit conclusions. There are two ways 
to minimize overall audit risk. The first is to select areas for audit 
based on risk. The second is to employ audit procedures that are 
appropriate and of sufficient quality to detect significant deficiencies 


mnat exist. 


. - ; 
ri : 
on 7 . 
ae ein 
eter ae 
i hi a. A, gas be 7 
Payee adeetiateiiateininiieacdinal ae y' 
mi tia nt a on — ewe ie r 
nusienn aan cote. apes * - “ww 
wiee ot ace wrerlt pee oe hot (uti 43 
thus 463 euete Sasios o7 ef auzt ae Sctes Libzewn 
ave sata aumpleyay take We sal hescew ede aon 
cotoumneates eeblice inn tate tq) tan 


_ 
s) 


_ 
7 J 
aa 
-_ - 
® 
_ 
i 
: 
= - 
: - 
7 7 _ 
- — 
> a 


y Se ae eee ee 


26 


Notes 


a. Discussion Paper No. 19, Report on the Review of the Evolution of 
Comprehensive Auditing, May 1983, p. 30. 


e. Updated Draft Report on Audit Philosophy Project, 25 May 1984, p. 


a Extent of Audit Testing, A Research Study, CICA, 1980, p. 49. 
4. fD20, D. .49 


5. P. Munter, "Risk and Materiality in an Audit", Canadian Public 
Accountant Journal, November 1984, pp. 34-40. 


6. C. Brewer, Audit Risk: Auditors' Perceptions and a Proposed 
Taxonomy for Audit Risk Analysis, 1982. Peat, Marwick, Mitchell 
Foundation Audit Research Papers. 


Pie Extent of Audit Testing, A Research Study, CICA, p. 48. 

B:. A. Andersen and Co., Guide for Studying and Evaluating Internal 
Controls in the Federal Government, 1982. 

mee ibid, p. 13 

mo tba, p. 9 

11 aDiG, Dp. 9 

meee ibid, p. 22 

Beet bid, Dp. '23 

Te. dtbid, p.. 24 

is. ibid, p. 24 

oO. 1bD1d, Pp. 25 

en bids Ds. 25 

eee Sida, De a7 

Pee tits Ps 28 


20. Extent of Audit Testing, A Research Study, CICA, 1980, p. 50 


21. C.S. Warren, “Audit Risk", The Journal of Accountancy, August 1979, 
p. 70 


c 8Ll6 


ih 


HAVA 


